> Stay away from Microsoft's EFS then, since the "key recovery" role can
> be assumed by an administrator.
I wouldn't say "stay away". Instead, say "be aware". If you're aware of the
limitations it's reasonable. We posted a position paper here:
http://ist.uwaterloo.ca/security/position/20020619/
Ps. a limitation on most cryptography -- an administrator can install a
key-stroke logger to grab your PGP key (or whatever product you recommend).